Authentication and Authorization

Mercado Libre platform allows you to work with our API public and private resources, via HTTP calls using GET, PUT, POST, DELETE and OPTIONS.
Public resources, such as available sites and categories, can be anonymously accessed, while private resources and user-own actions, such as listing an item, giving feedback or viewing purchase/sale information, require application-based authorization.
This guide explains the meaning of authentication and the authorization flow to be followed to obtain an access_token (access key to private resources for each user granting authorization to the application – valid for 6 hours).For example:Without access_token (Public Resource)

Contents:

Authentication

Authentication is the act or process of determining or confirming whether someone or something is, in fact, who or what it is declared to be.
In the case of a person, authentication consists in verifying his/her identity based on one or several factors, ensuring the sender’s data are correct.

Some authentication methods are:

Biomedical methods, fingerprints or retinal scan, etc.

Smart cards that save a user´s certificate information.

Standard methods based on passwords.

For example, to log into Mercado Libre we authenticate ourselves by entering our user name and password.

Authorization

Authorization is the process whereby we allow someone or something to access private resources.
The authorization should define which resources and operations can be performed, since it is not the same to grant read-only than read and write access.

How do we obtain authorization? Via the OAuth 2.0 Protocol, which is one of the most widely used protocols in open platforms (Twitter, Facebook, etc.) and a secure method to work with private resources.

OAuth offers:

Confidentiality, the user will never have to disclose his/her key.

Integrity, private data can only be viewed by applications with permits to do so.

Although each of them is used for different purposes depending on the service being developed, below you will find the explanation of the first two types since they will allow you to work with our resources and develop tools for every user in Mercado Libre.

Client-side

The Client-side authorization flow is better suited for applications executing the client-side code, e.g., applications developed in javascript/ajax, Angular or mobile applications.
For more information about this flow, go to the tutorial “Client-Side Authorization”

Server-side

The Server Side authorization flow is better suited for applications executing the server-side code, such as, applications developed in Java, Grails, Go, etc.Note: This option will be helpful for applications executing cron jobs, to update product stock or operate when the user is not directly interacting with the application.
For more information about this flow, go to the tutorial “Server-Side Authorization”

Get your access_token!

Enter the application ID you have just created:

*Please enter a valid Application ID

User informationJSON Response

Access Token:

User Id:

Nickname:

First Name:

Last Name:

Email:

Site:

-

Use our SDKs

Using our SDKs the authentication process will be simpler since our SDKs save you from coding the whole OAuth protocol from scratch.
Our community is already using them!
We already provide SDKs for:

If you find an enhancement or have a suggestion, you can share it with the community creating a Pull Request within our GitHub repository.

Considerations

Token validity and expiration
When you get an access_token, it will be immediately valid and usable to make requests to the API for a limited period of 6 hours.
There are also events which may cause an access_token to become invalid before the expiration time. For example: user changing his/her password, an application refreshing its App Secret and, of course, a user revoking permissions to your application.